Just read through ProblemChild: Detecting living-off-the-land attacks using the Elastic Stack | Elastic Blog
which all seems super interesting.
So.. Forgive me for my noobish questions.. But I was wondering how exactly I should start building this on my own Elastic stack.
I guess I need to store the scripts first with How to write scripts | Elasticsearch Guide [7.12] | Elastic ?
As I'm using Winlogbeat, am I supposed to use this pipeline examples/problemchild_features.json at master · elastic/examples · GitHub
while ingesting winlogbeat data so my winlogbeat data contains the correct features fields?
And then do data fram analytics classification on the resulting winlogbeat index?